IETF Logo Mail Archive

Re: [TLS] Another IRINA bug in TLS

Watson Ladd <watsonbladd@gmail.com> Thu, 21 May 2015 13:59 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5641A0248 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 06:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqdKAyDflPLH for <tls@ietfa.amsl.com>; Thu, 21 May 2015 06:59:48 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D78FE1A011B for <tls@ietf.org>; Thu, 21 May 2015 06:59:47 -0700 (PDT)
Received: by wgbgq6 with SMTP id gq6so86735220wgb.3 for <tls@ietf.org>; Thu, 21 May 2015 06:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oqcm2w7lfqRgUGI4B4h3J4/SN4e1DtYdybgYp96QGvM=; b=U2csXPxrVZOjn77r5Udsp7ghCRvwuUcxoQCq3McRcoFllLwS0ylxK9+iEwrtAhstc0 vJcVjx2APngF7Lua2PJq467KdralUIQWEYr9R4BOZgniGeO3l9Z2tYN/dg4toTuunpDN sC1Sp8WtjcmpsT37Xb7Pfy2yj+A3jwFZ5pRreRDQ52Vzot8gxf/uJEhS6GQDds9ly5I2 dkOh0XmSP7ghfnI70EQ4MS6oE6rV40gMfElPeJLQTgD4VQ4LfSlu/2WcClcFvGhPTOAE 9whIpICiEOz9Y1Z2wD8/yVaAIFZCqDDsl2I0h48SSfxOFaGcvIN/XyHMSIzDZ7o5yGnP OoCg==
MIME-Version: 1.0
X-Received: by 10.194.248.227 with SMTP id yp3mr5586954wjc.32.1432216786642; Thu, 21 May 2015 06:59:46 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Thu, 21 May 2015 06:59:46 -0700 (PDT)
In-Reply-To: <1432216095.3243.70.camel@redhat.com>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com> <1432134170.2926.9.camel@redhat.com> <9A043F3CF02CD34C8E74AC1594475C73AB027EED@uxcn10-tdc05.UoA.auckland.ac.nz> <555D90F6.10103@redhat.com> <1432195799.3243.18.camel@redhat.com> <555DBCE6.7080308@redhat.com> <1432206909.3243.45.camel@redhat.com> <555DBF7E.9050807@redhat.com> <1432207863352.27057@microsoft.com> <555DC498.2000109@redhat.com> <1432209104.3243.65.camel@redhat.com> <1432211226723.39265@microsoft.com> <555DDD4A.4040206@azet.org> <1432216095.3243.70.camel@redhat.com>
Date: Thu, 21 May 2015 09:59:46 -0400
Message-ID: <CACsn0cmaDqidzMnLY0gtk6r1CVDASd+m3_vRpa_D5PDK_Wn-vQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9DRbXxXP_qAGEJvjMdtxxyxU-GY>
Cc: Florian Weimer <fweimer@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 13:59:50 -0000

On Thu, May 21, 2015 at 9:48 AM, Nikos Mavrogiannopoulos
<nmav@redhat.com> wrote:
> On Thu, 2015-05-21 at 15:27 +0200, Aaron Zauner wrote:
>
>> I'm curious: what are instances where unsafe primes are still used,
>> generated and distributed for use in TLS? Hence where do we need to
>> deprecate?
>
> The "safe primes" is only a name. There are safe primes for DH that are
> not in the "safe primes" category. The primes used in DSA are such ones.

Why does it even matter? If everyone disabled ciphersuites that never
should have been used in the first place, we wouldn't be having this
conversation. Instead we're planning yet another patch.

We've decided that when responding to security issues, we'll throw on
more options, even when other alternatives exist, with the goal of
never scheduling depreciation. This increases implementation burden,
slows adoption, and ultimately harms security. Notice how we've kept
CBC mode alive by adopting RFC whatever it was, instead of instructing
everyone to move to AES-GCM, which has been out for 7 or so years. At
the same time we've not fixed known problems: logjam is only the
nastiest variation of problems caused by the signature on DH
parameters not indicating the ciphersuite.

Our thinking needs to be geared towards ending these problems.

>
> regards,
> Nikos
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email